University of Michigan overcomes cyberattack that delayed the academic year.

The University of Michigan has restored internet to its Ann Arbor, Dearborn, and Flint campuses after sustaining a cybersecurity incident over the weekend, EdScoop reports. The company had severed its networks from the internet due to “a significant security concern.” 

University president Santa J. Ono, stated yesterday, “We expect some issues with select U-M systems and services in the short term, and not all of our remediation efforts are complete. However, they will be resolved over the next several days....The investigative work into the security issue continues, and we are not able to share any information that might compromise the investigation. We appreciate your understanding as we continue to move through the investigative process.”

The university is working with federal law enforcement to investigate the incident.

Lessons learned on incident response and defense.

Tom Marsland, VP of Technology at Cloud Range, sees signs of good preparation for incident response. “It’s apparent that the U-M IT and cybersecurity teams had a plan in place to quickly sever their systems from the internet and conduct necessary restorations,” he said. “From the initial announcement made on August 27th at 1:45pm to the restoration on August 30th at 10:30 am, the team worked hard and restored services quickly. In these sorts of circumstances, quickly and decisively making the tough decisions that exist in playbooks and incident response plans is crucial, especially given the size of this enterprise network that serves approximately 50,000 students. Kudos to the team for their hard work.”

Emily Phelps, Director at Cyware, notes that there are inevitably costs involved in incident response, including opportunity costs.  “It is a significant decision for any organization to take its systems offline following a cyberattack, she wrote. “For a large university to make this call the day before classes began illustrates the severity of the attack. Whether an organization's systems are taken down by the attack itself or following the attack to address it safely, the outcome is the same: operational disruption, economic impact, and potential panic. As an industry, we want to enable institutions to move from a reactive to a proactive posture to minimize the need to take their systems offline.”

Dave Ratner, CEO, HYAS, noted that this kind of attack can afflict almost any organization. “This attack further proves that no one should consider themselves safe from being targeted. We live in a world where every organization can and will be breached, and the only solution is to focus on proper operational resiliency, business resiliency, and business continuity,” he said. He also offered some recommendations. “As part of this, visibility and observability into anomalies on the network and the early detection of the digital exhaust from a breach is critical so that an attack can be detected, mediated, and rendered inert before widespread damage ensues. CISA and the NSA don't just recommend Protective DNS for governments and critical infrastructure -- it's increasingly clear that it is a vital component for every organization and network.”